How much information security is enough security ?
Infocon is an initiative by Prime Infoserv, Kolkata and Wordsmith has been a collaborator in the initiative. Any contemporary CXO who is not concerned with the theme and confusion called Information Security is either non-existent or soon will face bankruptcy judge.
Billions are lost by private and public institutions worldwide through loopholes in securing information. Information is literally money. If you are a financial institution and if your customer database is compromised, then the fall-out can be seriously embarrassing to catastrophic.
The Problem of Mr. K, a CIO of the castle called Kolkata
Mr. K is a CIO of a large healthcare company in Kolkata. His 60% life was spent without internet and when his career is at the matured peak, he finds that he needs to reckon with information security. His CEO has instructed him to “do something”. What he should do ?
In case of an enterprise, any “doing” needs management time, money and attention (follow-up). More important, no vendor appears to be able to answer the question : “How much information security is good security ? “How much I should spend, considering the solutions are correct ?”
Mr. K, found to his great confusion that he is not able to get these “figures”.
In a autumn morning in Kolkata, post-Durga Puja last year, I and Sushobhan, CEO of Prime met Mr. K in his East Calcutta office, overlooking the wetlands of Calcutta that appear to be merging with the Sunderbans. Mr. K narrated his predicament, especially the most important one – “How much money and resource he should ask for approval ? ” from his top management to implement the solution selected. The problem with the solution was its very nature : the solution is directly connected to the threat – real, perceived, imagined or enmeshed in the business interest of the information security vendor.
The Mathematical Model
In other words, we need an analytic framework backed up by the cold, austere and objective mathematical perspective other than paranoia, vendor interest, disaster porn, technical jargon, hardware and software vendor with their exotic offerings lined up in the form of priests of some esoteric cult.
There is a mathematical model called Gordon-Leob model that does exactly that. It uses mathematical tools like probability, confidence interval, distribution to produce a mathematically verifiable statement
After the coffee, I and Sushobhan told Mr. K that he should spend no more than 37% of the amount X, where X is calculated by
X = Cost * Maximum probable vulnerability * Impact Constant * Quantified Risk
Mr. K was delighted. He is now at least dealing with arithmetic, not anxiety-metric.
In due course, we did find out X for his organization by using a 4 step method which is basically a combination of police work + detective work. In the first step, we did a vulnerability analysis and logged all known risks, in the 2nd step, we had assigned some metric to those risks in consultation with the company. In the 3rd step, we calculated the probabilities of such events, in the final step, we tabulated the impact and then estimated X.
Since then, we have been working in this area with clients in India, Bangladesh, UK and everywhere we found one common aspect : lack of awareness. Then the idea of Infocon was born.
Infocon 2016 is happening on 18th November – a platform for sharing our confusion, triumph, fear, best practices and combining our torches in a same direction to create a path in the literal jungle of information which not only has exotic fruits, flowers and scenes but ferocious enemies.